(BUSINESS
WIRE)-- Neustar, Inc. (NYSE: NSR), a trusted, neutral provider of
real-time information services, today published “DNSSEC: How Savvy DDoS
Attackers Are Using Our Defenses Against Us a research report that
details how Domain Name System Security Extensions (DNSSEC) can be
subverted as an amplifier in Distributed-Denial-of-Service (DDoS)
attacks. Neustar determined that on average, DNSSEC reflection can
transform an 80-byte query into a 2,313-byte response, an amplification
factor of nearly 30 times, which can easily cause a network service
outage during a DDoS attack, resulting in lost revenue and data
breaches.

“DNSSEC emerged as a tool to combat DNS hijacking, but
unfortunately, hackers have realized that the complexity of these
signatures makes them ideal for overwhelming networks in a DDoS attack,”
said Joe Loveless, Director Product Marketing, Security Services,
Neustar. “If DNSSEC is not properly secured, it can be exploited,
weaponized and ultimately used to create massive DDoS attacks.”

DNSSEC
was designed to provide integrity and authentication to DNS, which it
accomplishes with complex digital signatures and key exchanges. As a
result, when a DNS record is transferred to DNSSEC, an extraordinary
amount of additional information is created. Additionally, when issuing
the DNS command, “ANY,” the amplified response from DNSSEC is
exponentially larger than a normal DNS reply.

Key findings and recommendations from “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” include:

DNSSEC
Vulnerabilities Are Prolific – Neustar examined one industry with 1,349
domains and determined 1,084 of them (80 percent) could be maliciously
repurposed as a DDoS attack amplifier (they were signed with DNSSEC and
responded to the “ANY” command).

The Average DNSSEC
Amplification Factor is 28.9 – Neustar tested DNSSEC vulnerabilities
with an 80-byte query, which returned an average response of
2,313-bytes. The largest amplification response was 17,377-bytes, 217
times greater than the 80-byte query.

The Anatomy of a DNSSEC
Reflection Attack – Neustar illustrates the command and control servers
required to run the botnets and scripts that target DNS name servers to
execute DNSSEC amplification attacks.

Best Practices for
Mitigation –For organizations that rely on DNSSEC, Neustar recommends
ensuring that your DNS provider does not respond to “ANY” queries or has
a mechanism in place to identify and prevent misuse.

“Neustar is
focused on using connected sciences to connect people, places and
things, which is why network security is so imperative,” said Loveless.
“As more organizations adopt DNSSEC, it is critically important to
understand how to secure it. The time to fix it is now.”

For more
information about “DNSSEC: How Savvy DDoS Attackers Are Using Our
Defenses Against Us” please visit
https://hello.neustar.biz/201608---Security-Services---Trade-Show---Black-Hat_DNSSEC-LP.html.

About Neustar

Every
day, the world generates roughly 2.5 quadrillion bits of data. Neustar
(NYSE: NSR) isolates certain elements and analyzes, simplifies and edits
them to make precise and valuable decisions that drive results. As one
of the few companies capable of knowing with certainty who is on the
other end of every interaction, we’re trusted by the world’s great
brands to make critical decisions some 20 billion times a day. We help
marketers send timely and relevant messages to the right people. Because
we can authoritatively tell a client exactly who is calling or
connecting with them, we make critical real-time responses possible. And
the same comprehensive information that enables our clients to direct
and manage orders also stops attackers. We know when someone isn’t who
they claim to be, which helps stop fraud and denial of service before
they’re a problem. Because we’re also an experienced manager of some of
the world’s most complex databases, we help clients control their online
identity, registering and protecting their domain name, and routing
traffic to the correct network address. By linking the most essential
information with the people who depend on it, we provide more than
12,000 clients worldwide with decisions—not just data. More information
is available at http://www.neustar.biz